Not sure if that's what he's talking about, but this just popped in my IRC client:

[24/02/2017 09:43:50] [Notice] -christel- [Global Notice] Hi all, Cloudflare has announced that a bug may have caused disclosure of data, sent via CF, to third parties, further info can be found at https://blog.cloudflare.com/ | freenode uses CF for CDN, while we have not received any reports indicating that we are affected, we urge webchat users in particular to consider changing their passwords! Thank you.

Yeah, that was Freenode, where #thedailywtf channel lives. Yay.

I mean, I didn't discuss anything sensitive anywhere on freenode, personally, but I think password change might be in order, just in case...

@heterodox With the massive volume of DDoS attacks available from botnets for anyone willing to lay out the bitcoin, you're effectively forced to use CloudFlare to act as a bandwidth sponge for your website if you don't want it to get knocked over by any script kiddie who wants to have a go. The cost of that is you become susceptible to bugs like this one, as well as the usual impacts of a man-in-the-middle attack. The bug itself is by all accounts the classic C mistake of not checking your bounds logic to see if your I/O write will actually point to where you expect.

@heterodox With the massive volume of DDoS attacks available from botnets for anyone willing to lay out the bitcoin, you're effectively forced to use CloudFlare to act as a bandwidth sponge for your website if you don't want it to get knocked over by any script kiddie who wants to have a go. The cost of that is you become susceptible to bugs like this one, as well as the usual impacts of a man-in-the-middle attack. The bug itself is by all accounts the classic C mistake of not checking your bounds logic to see if your I/O write will actually point to where you expect.

None of what you said is equivalent to CloudFlare holding the Internet for ransom; it's equivalent to CloudFlare providing an essential service. If CloudFlare were the one launching the DDoS attacks they'd be holding the Internet for ransom.

As far as the bug, you only read the Google thread, I can see. Yes, the bug is obvious in:

</s>
I'm all too happy to board the managed languages train, but I can see how certain properties of managed languages could be undesirable in a highly performance-dependent environment and how these mistakes can happen. This is why defense in depth of the type practiced by 1Password etc. is important.

You know, it's interesting how we consider page rewriting bad when a consumer ISP does it, but we think it's somehow perfectly OK when CloudFlare does it...

The latter is authorized by the owner of the page; it's something they chose to enable, just like anything else on the page itself. The former is a third party sticking their nose in where it's not wanted.

Every single place I saw the announcement I also saw the dude posting about his GitHub. It was just for attention. And it was obnoxious because Cloudflare DNS (which I believe is free, or low-cost) != Cloudflare proxy services and the latter were the only ones vulnerable to having their traffic leaked. The difference in scope is massive. And you just knew the news were going to pick up sites in that list (because they don't know any better when it comes to technology) and then those site owners were going to be busy rebutting news of a leak that in no way affected them.

@heterodox Any reputable site is going to alert its users separately anyway. For instance, Change.org uses CloudFlare, and they emailed all their users to say they likely weren't affected, but it doesn't hurt to play it safe, so change your password anyway. I mean, let's face it, you're meant to change passwords regularly, but who does?

It has a cool name and a logo - this must be serious! Since Heartbleed, bug branding has become a bit of a thing and more than anything, it points to the way vulnerabilities like these are represented by the press. It helps with headlines and I'm sure it does